Setting up privateinternetaccess on qubes 3.2

[Steven Walker]

Can anyone give me any feedback on how to setup privateinternetaccess on qubes. I wrote to pia, and they didn't really give me much help on how to set this up.

Any help greatly appreciated.

Thanks,

Steve

[Chris Laprise]

You want to first download the openvpn config from pia's
Download/Support page:
Choose Advanced OpenVPN SSL Usage Guides, then OpenVPN Configuration
Files... 'default' or 'strong'.

Then follow the Qubes doc "iptables and CLI" instructions here:

https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[Chris Laprise]

On 06/15/2017 11:02 PM, Chris Laprise wrote:
> On 06/15/2017 08:15 PM, Steven Walker wrote:
>> Can anyone give me any feedback on how to setup privateinternetaccess
>> on qubes. I wrote to pia, and they didn't really give me much help on
>> how to set this up.
>>
>> Any help greatly appreciated.
>>
>> Thanks,
>>
>> Steve
>>
>
> You want to first download the openvpn config from pia's
> Download/Support page:
> Choose Advanced OpenVPN SSL Usage Guides, then OpenVPN Configuration
> Files... 'default' or 'strong'.
>
> Then follow the Qubes doc "iptables and CLI" instructions here:
>
> https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts
>

BTW, I noticed there is an "easy" way to setup Network Manager
connections from pia, if NM is what you prefer. Their "Advanced OpenVPN
Ubuntu" instructions have a script that adds VPN connections to Network
Manager. You can run this 'pia-nm.sh' script in a Qubes proxyVM *each*
time you start it.

To make the settings work permanently, you could copy
/etc/openvpn/pia*crt to /rw/config, then go into
/rw/config/NM-connections and edit the PIA files you intend to use and
change the path for the "ca " entry from /etc/openvpn to /rw/config.

Another way to make it permanent is to setup bind-dirs for /etc/openvpn.

Finally, you can protect against leaks by adding these lines to
/rw/config/qubes-firewall-user-script (and make it executable):

iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP

[qubester]

I have PIA, I'd suggest just using the CLI, slog through it and pick
two geo locations you want. , like one in the US and one outside.

I used this :
https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219438247-Installing-OpenVPN-PIA-on-Linux

Then the CLI stuff, it's a little tricky at a few points, and if it
fails, better just wipe the whole VM and start over, till its stable.

But, I also tried the Network Manager, and in the long term, it's just
more PITA, it gives you seemingly more Geolocations easiert with the
script, but its constantly going up and down, if you suspend your
Computer.

And just too time consuming, unless you MUST have many geo locations,
but even then

With the CLI just watch your in the correct dir when your doing
things, and your permissions , I suggest just copy and paste verbatim,
then one little mistake won't B0rk the whole attempt

once you get one working, it goes quicker the 2nd time, though, took me
a long time, to get 2 stable, But, then you'll never have to guess if
your VPN is up or not. As unlike the NManager, it won't work unless
it's up.


then, you need to make a launcher on the desktop to restart rc.local
after suspend, see the previous stuff Mr. Laprisse contributed

and then sometimes/often you'll have to manually right click execute
multiple times till its back up after suspend, but it's at least reliable

[vel...@tutamail.com]

I have tried, tried, tried ...and tried and I am over my head! (Fedora 26, Qubes 3.2)

I am stuck....

I tried this:
https://www.qubes-os.org/doc/vpn/

and this, this was a pretty good video but unfortunately its not the same as PIAs config.:
https://www.youtube.com/watch?v=K1_zqT7_N7k (Nice video internetz.me...learned a lot)

Qubester I went down your path as well but wasn't sure where to go after.

But couldn't really get off step 2 of the Qubes instructions...primarily due to my linux skills.

Can anybody help?

I got a NetVM working but with out a kill switch and credentials exposed it just doesn't work for me.

Looking at the Qubes instructions, I was able to create the "sudo mkdir /rw/config/vpn" but then things fall apart.

My specific questions from the VPN instructions that keep derailing me, specifically the basic commands needed are:

1) How do I copy files to: "Copy your VPN config files to /rw/config/vpn"?
2) "Create a file in the /rw/config/vpn folder with your credentials and using a directive"...how do I do this?
3) I haven't gotten further but suspect I'll have more questions.

Anybody have a source for a tutorial...I have googled the h3ll out of this and more questions then answers.

I will give you my first born(or a beer/wine!) for a step-by-step on how to do this!

This seems like an absolute must feature but I am at my wits end.

Help!

Here are the sad instructions I have so far:

sudo -s

dnf install nano

y

mkdir /rw/config/vpn

[Chris Laprise]

On 02/12/2018 07:01 PM, vel...@tutamail.com wrote:
> I have tried, tried, tried ...and tried and I am over my head! (Fedora 26, Qubes 3.2)
>
> I am stuck....
>
> I tried this:
> https://www.qubes-os.org/doc/vpn/
>
> and this, this was a pretty good video but unfortunately its not the same as PIAs config.:
> https://www.youtube.com/watch?v=K1_zqT7_N7k (Nice video internetz.me...learned a lot)
>
> Qubester I went down your path as well but wasn't sure where to go after.
>
>
> But couldn't really get off step 2 of the Qubes instructions...primarily due to my linux skills.
>
> Can anybody help?
>
> I got a NetVM working but with out a kill switch and credentials exposed it just doesn't work for me.
>
> Looking at the Qubes instructions, I was able to create the "sudo mkdir /rw/config/vpn" but then things fall apart.
>
> My specific questions from the VPN instructions that keep derailing me, specifically the basic commands needed are:
>
> 1) How do I copy files to: "Copy your VPN config files to /rw/config/vpn"?

Each VPN service supplies configs in their own way, but usually there
should be some option to simply download a zip or tar.

In PIA's case they don't make it easy to find where the openvpn configs
are, but they're there:

https://www.privateinternetaccess.com/pages/client-support/#fifth

Any of the three *ip, *tcp or *strong-tcp will work.

After downloading the file, unzip the contents to /rw/config/vpn. For
example:

$ cd /rw/config/vpn
$ sudo unzip ~/Downloads/openvpn-ip.zip

There are multiple configs (one for each region) so pick one and copy it
to the config filename that will be used:

$ sudo cp "US East.ovpn" openvpn-client.ovpn


--

At this point you can continue with the doc instructions, but I'd
recommend switching to the method at
https://github.com/tasket/Qubes-vpn-support

It comes with an installer and you'll notice the instructions are pretty
simple.

> 2) "Create a file in the /rw/config/vpn folder with your credentials and using a directive"...how do I do this?

This is done automatically by the Qubes-vpn-support installer. To do it
manually, just "sudo nano /rw/config/vpn/pass.txt" and add your PIA
username and password, one on each line.

> 3) I haven't gotten further but suspect I'll have more questions.
>
> Anybody have a source for a tutorial...I have googled the h3ll out of this and more questions then answers.

I'm preparing new vpn tunnel support in Qubes and a simplified doc to go
with it. This should be available within a week or two. In the meantime
I suggest using Qubes-vpn-support at the above link.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket

[vel...@tutamail.com]

Thanks Chris(and "tasket"!)....took me a few tries but I managed to get it going, I tweaked the implementation a bit(scarey).

I was not however able to get this command going from step #3 of the Github guide: sudo /usr/lib/qubes/qubes-vpn-setup --config

I doubt I did this right/well but when I went to DNSleaktest.com it showed no leaks.

Couple of questions:
* What security am I not getting by doing step #3?
* Is using a script from Github good? Appreciate the lead but will this be sanctioned by the Qubes community long term?
* How can I test the kill switch functionality?
* Any feedback, comments, ways to do it better?

Looking forward to those instructions Chris...

My sketchy/newbie steps are detailed below:

Create Proxy VM Make Green Proxy Connected to sys-Net - Name it

Add Files and Firefox in applications (didn’t really need firefox as I could download it in a disposable and the move it to my new sys-VPN)

Go to the services tab and add vpn-handler-openvpn then hit the + button

Notes:
* All commands were done in the proxy VM (No template was used)
* Not a huge terminal expert, so used GUI for some things

Download config files:
https://github.com/tasket/Qubes-vpn-support hit the green Clone or Download button
https://www.privateinternetaccess.com/pages/client-support/ (Download the “openvpn-ip.zip” file) specifically https://www.privateinternetaccess.com/openvpn/openvpn-ip.zip

Unzip openvpn-ip.zip in download folder
Manualy change name in file from “US East.ovpn” to “openvpn-client.ovpn”

sudo mkdir /rw/config/vpn
sudo mv “openvpn-client.ovpn” '/rw/config/vpn'
sudo mv “.crt file” '/rw/config/vpn'
sudo mv “.pem file” '/rw/config/vpn'

cd '/home/user/Downloads/Qubes-vpn-support-master'
Type cd(space)then drag and drop from downloads the whole “Qubes-vpn-support” from “Github” in your downloads folder(Manually Unzipped folder by double clicking)

sudo bash ./install

Enter VPN User name and password


Close terminal

cd /rw/config/vpn
sudo ln -s openvpn-client.ovpn vpn-client.conf

Restart VM

Connect your VMs

[Chris Laprise]

On 02/13/2018 05:23 PM, vel...@tutamail.com wrote:
> Thanks Chris(and "tasket"!)....took me a few tries but I managed to get it going, I tweaked the implementation a bit(scarey).
>
> I was not however able to get this command going from step #3 of the Github guide: sudo /usr/lib/qubes/qubes-vpn-setup --config
>
> I doubt I did this right/well but when I went to DNSleaktest.com it showed no leaks.

Since you installed into a proxyVM only (not a template) you should skip
this command anyway (per instructions).

>
> Couple of questions:
> * What security am I not getting by doing step #3?
> * Is using a script from Github good? Appreciate the lead but will this be sanctioned by the Qubes community long term?

That depends. For one, you should be accessing github through HTTPS
which offers some protection. As for my veracity/trustworthiness that is
ultimately up to you, but looking at the commits you'll notice they are
cryptographically signed by me so they can be verified in 'git'. And
there is the pattern of my (signed) contributions accepted to Qubes and
other projects.

I'm helping add new vpn tunnel features in Qubes itself, so you can
think of this as most of Qubes-vpn-support being incorporated into the OS.

> * How can I test the kill switch functionality?

If you mean anti-leak, you can try leak testing sites* like you
mentioned or try monitoring traffic in an upstream vm for any packets
sent to non-vpn addresses.

*Some more sites: https://github.com/tasket/Qubes-vpn-support/issues/1

One way you can check if the firewall script is running is if 'sudo
iptables -L -v' shows the following rule at the top of the FORWARD section:

DROP all -- eth0 any anywhere anywhere


Thanks for the feedback!

[vel...@tutamail.com]

Thank you Tasket\Chris...

Thanks for the education on trust/veracity/trustworthiness with Github.

You and the Qubes team are doing a good thing! I really appreciate all the help...

Thank you!

V

[vel...@tutamail.com]

Again I have been using the Tasket VPN setup with Fedora 26 for a few weeks and it works well...love the kill switch element!

I was hoping to beef up the security(maybe compromise the privacy) of the VPN service by adding OpenDNS or Quad9 DNS addresses to this configuration.

My questions I was hoping to get some thoughts on were:

1) I was presented with a Phishing site the other day...understand I am being targetted so I am not suprised. Is OpenDNS, Quad9 better then others? Are there others that would provide just as good filtering?

2) Tasket I found some documentation in the Qubes-vpn-support-master (README.md file) and references the ability to change your DNS address:

You can manually set your VPN's DNS addresses with:
```
export vpn_dns="<dns addresses>"
sudo /rw/config/vpn/qubes-vpn-ns up
```

How would I specifically change this? Is this a command? Would this be the specific command I would enter into my VPN VM if I was using OpenDNS:

export vpn_dns="208.67.222.222 208.67.220.220"
sudo /rw/config/vpn/qubes-vpn-ns up

I am asking here in the spirit of maybe providing some help to people trying to do the same thing...

Gratefully,
V

[Chris Laprise]

On 03/05/2018 11:04 AM, vel...@tutamail.com wrote:
> Again I have been using the Tasket VPN setup with Fedora 26 for a few weeks and it works well...love the kill switch element!
>
> I was hoping to beef up the security(maybe compromise the privacy) of the VPN service by adding OpenDNS or Quad9 DNS addresses to this configuration.
>
> My questions I was hoping to get some thoughts on were:
>
> 1) I was presented with a Phishing site the other day...understand I am being targetted so I am not suprised. Is OpenDNS, Quad9 better then others? Are there others that would provide just as good filtering?

Does this mean PIA's DNS converted a good domain name into a phishing IP
address? Or was the phishing site arrived at by some other means (email,
typo)?

My inclination is to view the VPN provider's nameservers as the safer
option, but not if its serving wrong IPs.

Not sure what OpenDNS users would say on the subject...

>
> 2) Tasket I found some documentation in the Qubes-vpn-support-master (README.md file) and references the ability to change your DNS address:
>
> You can manually set your VPN's DNS addresses with:
> ```
> export vpn_dns="<dns addresses>"
> sudo /rw/config/vpn/qubes-vpn-ns up
> ```
>
> How would I specifically change this? Is this a command? Would this be the specific command I would enter into my VPN VM if I was using OpenDNS:
>
> export vpn_dns="208.67.222.222 208.67.220.220"
> sudo /rw/config/vpn/qubes-vpn-ns up
>
>
> I am asking here in the spirit of maybe providing some help to people trying to do the same thing...

Those shell commands could be used manually for testing purposes, for
example. But the placement and phrasing is confusing so I'll change it.

For your purposes -- forcing particular DNS addresses despite the
numbers that the VPN provider sends over DHCP -- the setenv example in
the qubes-vpn-ns script comments is better. So if you want to use DNS
8.8.8.8 you can put this in your openvpn config file:

setenv vpn_dns '8.8.8.8'

Then whenever openvpn calls qubes-vpn-ns script it will see the vpn_dns
variable is already set and will use that instead.

-

And since DNS is now the subject.....

Both the VPN doc and Qubes-vpn-support 1.3 force all DNS requests to go
through the tunnel (or else blocked). However, this does not mean an
appVM will always send requests to the DNS server you want; it could
conceivably try to use some other DNS server for nefarious purposes
(although the threat model for this is weak).

TheirryIT was looking for a way to make sure the proper DNS servers were
addressed for all DNS requests, so in 1.4beta2 I changed the dnat rules
to convert all addresses for DNS request packets to the proper servers.

So my advice is to use the 1.4beta2 from the 'qubes4' branch (not
currently 'master') if you aren't already. Only caveat is that, although
its intended to still be compatible with Qubes 3.2, I haven't tested it
yet on 3.2.

[vel...@tutamail.com]

Pretty slick Chris...

I just reconfigured with your Qubes4 (https://github.com/tasket/Qubes-vpn-support/tree/qubes4)...I assume it defaults to 1.4beta2. I added the following to the PIA OpenVPN config file:

setenv vpn_dns '208.67.222.222'

...at the bottom of the config file and hit "save".

I went to:

https://support.opendns.com/hc/en-us/articles/227986567-How-to-test-for-successful-OpenDNS-configuration-

and it showed it worked OpenDNS was "active".

Question:
1) If I wanted to put both OpenDNS IPs into this would the addition to the config file look like this?:

setenv vpn_dns '208.67.222.222 208.67.220.220'
(i.e. space between the IPs)

I'll keep you posted how it works on Qubes 3.2...not sure I can do any formal tests but it is working. Would be happy to try if you tell me how...otherwise I'll keep you posted on what I see.

Thanks again for all you do...this is super hero type stuff!!

V

[Chris Laprise]

On 03/06/2018 05:30 PM, vel...@tutamail.com wrote:
> Pretty slick Chris...
>
> I just reconfigured with your Qubes4 (https://github.com/tasket/Qubes-vpn-support/tree/qubes4)...I assume it defaults to 1.4beta2. I added the following to the PIA OpenVPN config file:

Yes, the Readme there will say 1.4beta2. I need to get better at
assigning version tags.

>
> setenv vpn_dns '208.67.222.222'
>
> ...at the bottom of the config file and hit "save".
>
> I went to:
>
> https://support.opendns.com/hc/en-us/articles/227986567-How-to-test-for-successful-OpenDNS-configuration-
>
> and it showed it worked OpenDNS was "active".
>
> Question:
> 1) If I wanted to put both OpenDNS IPs into this would the addition to the config file look like this?:
>
> setenv vpn_dns '208.67.222.222 208.67.220.220'
> (i.e. space between the IPs)

Yes, that's all. FYI, as with regular Qubes DNS config, assigning more
than two currently will behave as if there are only two.

>
> I'll keep you posted how it works on Qubes 3.2...not sure I can do any formal tests but it is working. Would be happy to try if you tell me how...otherwise I'll keep you posted on what I see.

That's already good feedback to have. Thanks!

For formal tests there are traceroute, the test you linked,
dnsleaktest.com, ipleak.net. You can also try using a packet monitoring
program. I'll be updating the leak testing issue (#1) with a bit more
info tonight.

The only type of "leak" I'm currently seeing is WebRTC doing its thing
in the browser, showing the VM's internal address. This is a
fingerprinting issue that is best addressed with a browser extension
like Chris Antaki's 'Disable WebRTC':

https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-disable-webrtc/

[vel...@tutamail.com]

My Fedora setup is still working great. Passes OpenDNS check when they are added to config, reconnects generally after I turn off my wireless.

I am trying to get this to work with a stock Debian9 template(upgraded from Debian8 with stock install).

I can't seem to get it to work with Debian, the closest I have come is to a pop-up alert saying "Ready to connect" or words to that effect. I feel like I am missing a basic step in adding OpenVPN. I am adding the following commands:

su
apt-get install openvpn
apt-get install nautilus
apt-get install network-manager-openvpn-gnome ?????

It just works using the Fedora 26 template(Not minimal template)...

Any suggestions?

Thanks in advance...

[Chris Laprise]

An upgraded Debian 8 to 9 template is what I use normally. Adding
network-manager bits is unnecessary.

If you get "Ready to connect" but nothing after, its possible you didn't
add the vpn/vpn-client.conf file (via the command that starts with "ln
-s"). The journalctl log would say somewhere that the file wasn't found,
or could point out some other problem you need to address.

[john]

Velcro,
Why don't you use the Qubes Docs, and use the command line setup, not
network manager, in the long run , it will less of a puzzle IMO.

PS: can you be more explicit what your saying, are you saying VPN works
using a Fed-26 template but not a Debian-9 version ?

I don't think anyone can help you if you don't state, what you are
doing, and what does and doesn't work :)

[john]

oh sorry disregard , didn't realize you were referring to the github
tasket vpn script ??

funny, I believe he actually designs it for debian > fedora :)

still, I guess we're to assume you downloaded the PIA config files to
the correct dir etc ?

https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219438247-Installing-OpenVPN-PIA-on-Linux

[rivercit...@gmail.com]

Cheers man!

I spent like 2 hours trying to figure this out!

I tried the method listed in the Qubes documentation which didn't work for and your method worked first try.


Thanks!